The security awareness topic for September is communications security . It is just as important to protect information while it is being communicated as when it is stored and processed, and yet communications mechanisms are numerous, widespread, complex, dynamic and hence tricky to control.  Communications security is a substantial challenge for every organization, even the very best. We have covered various aspects of communications from different angles many times before in the awareness program, mostly emphasizing ICT (information and communications technologies) but also the human aspects such as social engineering and fraud. This time around we supplement the usual fare with something new: body language. Aside from the actual words we use in conversation or in writing, the way we express stuff is often just as revealing - in fact in information security terms, body language qualifies as a communications side-channel.  The TV is awash with examples, such as the US presiden...

In connection with an awareness module on physical security in July 2015, I blogged about the possibility of people using drones to deliver drugs and other contraband to prisons ... and sure enough they are .  The same technology could be used to deliver drugs to dealers and addicts, I guess, or books, or crop sprays , or pizza and  beer .  Or bombs.  We know that drones are a threat to low-flying aircraft, near airports particularly, while they are clearly being used for military purposes including surveillance and delivery platforms for weapons . The police have their eye on them too. The big question is how the authorities plan to treat the associated risks.   Drones can be detected using radar, radio receivers and audio location, as well as visually including infra red. Tracking them is possible by eye or using pan-and-tilt mounts and electronics similar to those used for missiles.  However, small drones have tiny signatures, while military dron...

The official US navy report into  an embarrassing incident in the Arabian Gulf  at the start of this year is well worth reading. In short, the incident involved two US navy patrol boats straying into Iranian territorial waters around Farsi Island, one of them suffering a mechanical failure, then both being intercepted by an armed force of Iranians from the island. Without a shot being fired, the navy crews were 'captured', taken to the island, interrogated, video'd and released the next day. No big deal in the grand scheme of things ... but distinctly embarrassing for the US navy and government, as well as those directly involved.   The lightly-redacted report was produced by an official investigation into the incident and, as usual for such things, it points the finger at a number of contributory factors, systemic issues or root causes that failed to prevent or avoid the incident. As usual, the wording is quite formalized, stilted and circumspect in places but if you rea...

The simple structure of our awareness quiz belies its effectiveness as an security awareness mechanism: in the right setting with a good facilitator and (most of all) a group of willing, cheerful, fun-loving participants who are up for a laugh, the quiz can be a supremely memorable and effective learning experience .   In awareness terms, that’s a remarkably powerful outcome.   Really, a 'supremely memorable and effective learning experience'? That's no idle claim. This is not an empty marketing piece. Trust me, I know what I'm saying. Every security awareness module includes a quiz supporting the information security topic ... but it's probably not what you have in mind. A conventional quiz would be a set of factual questions with the corresponding answers, the sort of thing that some mind-numingly banale TV presenter/celebrity might try to flog into life with a bit of (fake) drama and (pumped-up) audience participation. We deliberately avoid that approach. For us,...

The Sony hack two years ago is still costing Sony money. An article in the Hollywood Reporter notes that Sony has paid $millions already: "After the hack, Sony has faced several lawsuits over failure to safeguard private data and most notably settled a class action from former employees in a deal worth somewhere between $5.5 million to $8 million." That is on top of the substantial costs directly incurred in or caused by the incident, including the loss of business, inability for Sony Pictures Entertainment to operate for several weeks, penalties from the authorities due to its problems filing financial results on time, and of course the incident investigation and actions arising, clearing-up the mess. Possibility Pictures is now  claiming compensation for the loss of revenue on one of its films that Sony was supposed to be distributing. "To write love on her arms" was one of five films stolen in the hack and released onto the Internet as part of the incident. Pos...

According to a Vanson Bourrne survey conducted for McAfee (now part of Intel Security), specialist "cybersecurity"* professionals are in high demand. No surprise there. The report reveals that respondents feel their governments are not doing enough to close the skills gap: "Respondents in all countries surveyed said cybersecurity education was deficient. Eighty-two percent of respondents report a shortage of cybersecurity skills. More than three out of four (76%) respondents believe their government is not investing enough in cybersecurity talent. " No surprise there either.  Apparently the shortage is worse in 'high-value skills' (isn't that simply the result of supply and demand - a shortage of supply increases the price people are willing to pay?) and is worse in cybersecurity than in 'other IT professions' (implying that the report's authors consider cybersecurity to be an IT profession): "High-value skills are in critically short s...